<pre style='margin:0'>
Christopher Nielsen (mascguy) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/2edc767fcd43edc4e6144aaca071adf3779a3581">https://github.com/macports/macports-ports/commit/2edc767fcd43edc4e6144aaca071adf3779a3581</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new 2edc767fcd4 macos-fortress: Update to squid5
</span>2edc767fcd4 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit 2edc767fcd43edc4e6144aaca071adf3779a3581
</span>Author: Steven Thomas Smith <s.t.smith@ieee.org>
AuthorDate: Wed Nov 10 06:35:51 2021 -0500
<span style='display:block; white-space:pre;color:#404040;'> macos-fortress: Update to squid5
</span>---
net/macos-fortress/Portfile | 14 +-
net/macos-fortress/files/squid-squid.conf.patch | 79 +--
net/macos-fortress/files/squid.conf.macports | 770 ++++++++++++++++++++----
3 files changed, 701 insertions(+), 162 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/Portfile b/net/macos-fortress/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index e3be1484af4..4757a8b021d 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/macos-fortress/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4,8 +4,8 @@ PortSystem 1.0
</span> PortGroup active_variants 1.1
name macos-fortress
<span style='display:block; white-space:pre;background:#ffe0e0;'>-version 2021.10.23
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+version 2021.11.10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 0
</span>
categories net security
platforms darwin
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -686,12 +686,14 @@ subport ${name}-proxy-squid {
</span>
conflicts ${name}-proxy
<span style='display:block; white-space:pre;background:#e0ffe0;'>+ set squid_major_version 5
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> depends_lib-append \
port:${name}-easylistpac \
port:${name}-hosts \
port:adblock2privoxy \
port:privoxy \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- port:squid4
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ port:squid${squid_major_version}
</span>
# squid patch file creation
## export prefix=${prefix}
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -734,13 +736,13 @@ subport ${name}-proxy-squid {
</span> startupitems \
name ${subport} \
start [list \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- "\${prefix}/bin/port -p load ${name}-hosts squid4 privoxy adblock2privoxy ${name}-easylistpac" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "\${prefix}/bin/port -p load ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \
</span> ] \
stop [list \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- "\${prefix}/bin/port -p unload ${name}-hosts squid4 privoxy adblock2privoxy ${name}-easylistpac" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "\${prefix}/bin/port -p unload ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \
</span> ] \
restart [list \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- "\${prefix}/bin/port -p reload ${name}-hosts squid4 privoxy adblock2privoxy ${name}-easylistpac" \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "\${prefix}/bin/port -p reload ${name}-hosts squid${squid_major_version} privoxy adblock2privoxy ${name}-easylistpac" \
</span> ] \
pidfile none \
name ${subport}.squid-rotate \
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/squid-squid.conf.patch b/net/macos-fortress/files/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;color:#808080;'>index c80bb807e6f..985e8e35cd7 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/macos-fortress/files/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/squid-squid.conf.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,6 +1,6 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>---- ./squid.conf 2020-06-17 22:53:48.000000000 -0400
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+++ ./squid.conf 2020-06-17 23:04:19.000000000 -0400
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -798,6 +798,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- ./squid.conf 2021-11-10 06:22:18.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ ./squid.conf 2021-11-10 06:24:17.000000000 -0500
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -861,6 +861,7 @@
</span> # user="J. \"Bob\" Smith"
#Default:
# none
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -8,7 +8,7 @@
</span>
# TAG: acl
# Defining an Access List
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1294,12 +1295,9 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1432,12 +1433,9 @@
</span> # Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -24,7 +24,7 @@
</span> acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -1563,8 +1561,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1700,8 +1698,8 @@
</span> # See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
#
## Allow ICP queries from local networks only
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -35,7 +35,7 @@
</span> #Default:
# Deny, unless rules exist in squid.conf.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -2015,10 +2013,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2207,10 +2205,10 @@
</span> #
# Squid normally listens to port 3128
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -48,7 +48,7 @@
</span> #
# The socket address where Squid will listen for client requests made
# over TLS or SSL connections. Commonly referred to as HTTPS.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3308,6 +3306,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3535,6 +3533,16 @@
</span> #Default:
# none
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -65,7 +65,7 @@
</span> # TAG: cache_peer_access
# Restricts usage of cache_peer proxies.
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3346,6 +3354,14 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3573,6 +3581,14 @@
</span> #Default:
# No peer usage restrictions.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -80,7 +80,7 @@
</span> # TAG: neighbor_type_domain
# Modify the cache_peer neighbor type when passing requests
# about specific domains to the peer.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3441,6 +3457,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3668,6 +3684,7 @@
</span> # enough to keep larger objects from hoarding cache_mem.
#Default:
# maximum_object_size_in_memory 512 KB
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -88,7 +88,7 @@
</span>
# TAG: memory_cache_shared on|off
# Controls whether the memory cache is shared among SMP workers.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3523,6 +3540,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3750,6 +3767,7 @@
</span> # and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
#Default:
# cache_replacement_policy lru
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -96,7 +96,7 @@
</span>
# TAG: minimum_object_size (bytes)
# Objects smaller than this size will NOT be saved on disk. The
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3547,6 +3565,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3774,6 +3792,7 @@
</span> # See cache_replacement_policy for a discussion of this policy.
#Default:
# maximum_object_size 4 MB
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -104,19 +104,16 @@
</span>
# TAG: cache_dir
# Format:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -3702,9 +3721,10 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #Default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # No disk cache. Store cache ojects only in memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -3931,7 +3950,7 @@
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span>
# Uncomment and adjust the following to add a disk cache directory.
-#cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
<span style='display:block; white-space:pre;background:#ffe0e0;'>-+#cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
</span>
# TAG: store_dir_select_algorithm
# How Squid selects which cache_dir to use when the response
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4533,8 +4553,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4824,8 +4843,11 @@
</span> # in the habit of using 'squid -k rotate' instead of 'kill -USR1
# <pid>'.
#
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -128,7 +125,7 @@
</span>
# TAG: mime_table
# Path to Squid's icon configuration file.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4590,6 +4613,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4881,6 +4903,7 @@
</span> # Currently honored by 'daemon' and 'tcp' access_log modules only.
#Default:
# buffered_logs off
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -136,19 +133,7 @@
</span>
# TAG: netdb_filename
# Note: This option is only available if Squid is rebuilt with the
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -4639,9 +4663,10 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #Default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Use the directory from where Squid was started.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- #
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # Leave coredumps in the first cache dir
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--coredump_dir @PREFIX@/var/squid/cache
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-+coredump_dir @PREFIX@/var/squid/cache
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # OPTIONS FOR FTP GATEWAYING
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>- # -----------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -5351,15 +5376,25 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5652,15 +5675,25 @@
</span> refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -175,7 +160,7 @@
</span>
# TAG: quick_abort_pct (percent)
# The cache by default continues downloading aborted requests
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -5577,6 +5612,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5878,6 +5911,7 @@
</span> # replies as required by RFC2616.
#Default:
# via on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -183,7 +168,7 @@
</span>
# TAG: vary_ignore_expire on|off
# Many HTTP servers supporting Vary gives such objects
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -5669,6 +5705,130 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -5970,6 +6004,130 @@
</span> #Default:
# No limits.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -314,7 +299,7 @@
</span> # TAG: reply_header_access
# Usage: reply_header_access header_name allow|deny [!]aclname ...
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -6036,6 +6196,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -6374,6 +6532,10 @@
</span> # seconds will receive a 'timeout' message.
#Default:
# shutdown_lifetime 30 seconds
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -325,7 +310,7 @@
</span>
# ADMINISTRATIVE PARAMETERS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -6104,6 +6268,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -6442,6 +6604,7 @@
</span> # names with this setting.
#Default:
# Automatically detect the system host name
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -333,7 +318,7 @@
</span>
# TAG: unique_hostname
# If you want to have multiple machines with the same
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -6832,6 +6997,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -7222,6 +7385,7 @@
</span> # up or to simplify log analysis.
#Default:
# log_icp_queries on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -341,7 +326,7 @@
</span>
# TAG: udp_incoming_address
# udp_incoming_address is used for UDP packets received from other
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -7329,6 +7495,41 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -7720,6 +7884,41 @@
</span> #Default:
# Prevent any cache_peer being used for this request.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -383,7 +368,7 @@
</span> # TAG: never_direct
# Usage: never_direct allow|deny [!]aclname ...
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -7358,6 +7559,14 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -7749,6 +7948,14 @@
</span> #Default:
# Allow DNS results to be used for this request.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -398,7 +383,7 @@
</span> # ADVANCED NETWORKING OPTIONS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8198,6 +8407,12 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8589,6 +8796,12 @@
</span> #Default:
# Use operating system definitions
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -411,7 +396,7 @@
</span> # TAG: hosts_file
# Location of the host-local IP name-address associations
# database. Most Operating Systems have such a file on different
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8223,6 +8438,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8614,6 +8827,7 @@
</span> # definitions.
#Default:
# hosts_file /etc/hosts
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -419,7 +404,7 @@
</span>
# TAG: append_domain
# Appends local domain name to hostnames without any dots in
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8265,6 +8481,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8641,6 +8855,7 @@
</span> # Maximum number of DNS IP cache entries.
#Default:
# ipcache_size 1024
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -427,7 +412,7 @@
</span>
# TAG: ipcache_low (percent)
#Default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8279,6 +8496,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8655,6 +8870,7 @@
</span> # Maximum number of FQDN cache entries.
#Default:
# fqdncache_size 1024
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -435,7 +420,7 @@
</span>
# MISCELLANEOUS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8299,6 +8517,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8675,6 +8891,7 @@
</span> # routines, disable this.
#Default:
# memory_pools on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -443,7 +428,7 @@
</span>
# TAG: memory_pools_limit (bytes)
# Used only with memory_pools on:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8345,6 +8564,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8721,6 +8938,7 @@
</span> # X-Forwarded-For entries, and place the client IP as the sole entry.
#Default:
# forwarded_for on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -451,7 +436,7 @@
</span>
# TAG: cachemgr_passwd
# Specify passwords for cachemgr operations.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8412,6 +8632,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8788,6 +9006,7 @@
</span> # turn off client_db here.
#Default:
# client_db on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -459,7 +444,7 @@
</span>
# TAG: refresh_all_ims on|off
# When you enable this option, squid will always check
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8542,6 +8763,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8918,6 +9137,7 @@
</span> # WARNING: pipelining breaks NTLM and Negotiate/Kerberos authentication.
#Default:
# Do not pre-parse pipelined requests.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -467,7 +452,7 @@
</span>
# TAG: high_response_time_warning (msec)
# If the one-minute median response time exceeds this value,
<span style='display:block; white-space:pre;background:#ffe0e0;'>-@@ -8599,6 +8821,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -8978,6 +9198,7 @@
</span> # Whether to lookup the EUI or MAC address of a connected client.
#Default:
# eui_lookup on
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/macos-fortress/files/squid.conf.macports b/net/macos-fortress/files/squid.conf.macports
</span><span style='display:block; white-space:pre;color:#808080;'>index 5669c53daa4..c0e5884f8db 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/macos-fortress/files/squid.conf.macports
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/macos-fortress/files/squid.conf.macports
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1,4 +1,4 @@
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# WELCOME TO SQUID 4.10
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WELCOME TO SQUID 5.2
</span> # ----------------------------
#
# This is the documentation for the Squid configuration file.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -45,6 +45,24 @@
</span> # MB - Megabyte
# GB - Gigabyte
#
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# Values with time units
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Time-related directives marked with either "time-units" or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "time-units-small" accept a time unit. The supported time units are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# nanosecond (time-units-small only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# microsecond (time-units-small only)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# millisecond
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# second
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minute
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hour
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# day
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# week
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# fortnight
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# month - 30 days
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# year - 31557790080 milliseconds (just over 365 days)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# decade
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span> # Values with spaces, quotes, and other special characters
#
# Squid supports directive parameters with spaces, quotes, and other
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -56,7 +74,7 @@
</span> # files using the syntax:
# parameters("/path/filename")
# For example:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# acl whitelist dstdomain parameters("/etc/squid/whitelist.txt")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl allowlist dstdomain parameters("/etc/squid/allowlist.txt")
</span> #
# Conditional configuration
#
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -145,6 +163,11 @@
</span> #Default:
# none
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: dns_v4_first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Remove this line. Squid no longer supports preferential treatment of DNS A records.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # TAG: cache_peer_domain
# Replace with dstdomain ACLs and cache_peer_access.
#Default:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -505,6 +528,7 @@
</span> #
# "children" numberofchildren [startup=N] [idle=N] [concurrency=N]
# [queue-size=N] [on-persistent-overload=action]
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# [reservation-timeout=seconds]
</span> #
# The maximum number of authenticator processes to spawn. If
# you start too few Squid will have to wait for them to process
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -557,6 +581,48 @@
</span> # NOTE: NTLM and Negotiate schemes do not support concurrency
# in the Squid code module even though some helpers can.
#
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# The reservation-timeout=seconds option allows NTLM and Negotiate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# helpers to forget about clients that abandon their in-progress
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection authentication without closing the connection. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# timeout is measured since the last helper response received by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid for the client. Fractional seconds are not supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# After the timeout, the helper will be used for other clients if
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# there are no unreserved helpers available. In the latter case,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the old client attempt to resume authentication will not be
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# forwarded to the helper (and the client should open a new HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection and retry authentication from scratch).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, reservations do not expire and clients that keep
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their connections open without completing authentication may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# exhaust all NTLM and Negotiate helpers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "keep_alive" on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If you experience problems with PUT/POST requests when using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the NTLM or Negotiate schemes then you can try setting this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to off. This will cause Squid to forcibly close the connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the initial request where the browser asks which schemes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# are supported by the proxy.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For Basic and Digest this parameter is ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# "utf8" on|off
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Useful for sending credentials to authentication backends that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# expect UTF-8 encoding (e.g., LDAP).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this option is enabled, Squid uses HTTP Accept-Language
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# request header to guess the received credentials encoding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (ISO-Latin-1, CP1251, or UTF-8) and then converts the first
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# two encodings into UTF-8.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When this option is disabled and by default, Squid sends
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# credentials in their original (i.e. received) encoding.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This parameter is only honored for Basic and Digest schemes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For Basic, the entire username:password credentials are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checked and, if necessary, re-encoded. For Digest -- just the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# username component. For NTLM and Negotiate schemes, this
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# parameter is ignored.
</span> #
#
# === Example Configuration ===
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -567,7 +633,6 @@
</span> #
##auth_param negotiate program <uncomment and complete this line to activate>
##auth_param negotiate children 20 startup=0 idle=1
<span style='display:block; white-space:pre;background:#ffe0e0;'>-##auth_param negotiate keep_alive on
</span> ##
##auth_param digest program <uncomment and complete this line to activate>
##auth_param digest children 20 startup=0 idle=1
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -578,11 +643,9 @@
</span> ##
##auth_param ntlm program <uncomment and complete this line to activate>
##auth_param ntlm children 20 startup=0 idle=1
<span style='display:block; white-space:pre;background:#ffe0e0;'>-##auth_param ntlm keep_alive on
</span> ##
##auth_param basic program <uncomment and complete this line>
##auth_param basic children 5 startup=5 idle=1
<span style='display:block; white-space:pre;background:#ffe0e0;'>-##auth_param basic realm Squid proxy-caching web server
</span> ##auth_param basic credentialsttl 2 hours
#Default:
# none
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -877,6 +940,10 @@ logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
</span> #endif
# acl aclname clientside_mark mark[/mask] ...
# # matches CONNMARK of an accepted connection [fast]
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# # DEPRECATED. Use the 'client_connection_mark' instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname client_connection_mark mark[/mask] ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # matches CONNMARK of an accepted connection [fast]
</span> # #
# # mark and mask are unsigned integers (hex, octal, or decimal).
# # If multiple marks are given, then the ACL matches if at least
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1087,6 +1154,79 @@ logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
</span> # # Annotation sources include note and adaptation_meta directives
# # as well as helper and eCAP responses.
#
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname annotate_transaction [-m[=delimiters]] key=value ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname annotate_transaction [-m[=delimiters]] key+=value ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Always matches. [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Used for its side effect: This ACL immediately adds a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # key=value annotation to the current master transaction.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The added annotation can then be tested using note ACL and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # logged (or sent to helpers) using %note format code.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Annotations can be specified using replacement and addition
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # formats. The key=value form replaces old same-key annotation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # value(s). The key+=value form appends a new value to the old
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # same-key annotation. Both forms create a new key=value
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # annotation if no same-key annotation exists already. If
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # -m flag is used, then the value is interpreted as a list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # and the annotation will contain key=token pair(s) instead of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # whole key=value pair.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # This ACL is especially useful for recording complex multi-step
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ACL-driven decisions. For example, the following configuration
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # avoids logging transactions accepted after aclX matched:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # First, mark transactions accepted after aclX matched
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl markSpecial annotate_transaction special=true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http_access allow acl001
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http_access deny acl100
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # http_access allow aclX markSpecial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # Second, do not log marked transactions:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl markedSpecial note special true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # access_log ... deny markedSpecial
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # Note that the following would not have worked because aclX
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # alone does not determine whether the transaction was allowed:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # access_log ... deny aclX # Wrong!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Warning: This ACL annotates the transaction even when negated
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # and even if subsequent ACLs fail to match. For example, the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # following three rules will have exactly the same effect as far
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # as annotations set by the "mark" ACL are concerned:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # some_directive acl1 ... mark # rule matches if mark is reached
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # some_directive acl1 ... !mark # rule never matches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # some_directive acl1 ... mark !all # rule never matches
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname annotate_client [-m[=delimiters]] key=value ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl aclname annotate_client [-m[=delimiters]] key+=value ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Always matches. [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Used for its side effect: This ACL immediately adds a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # key=value annotation to the current client-to-Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # connection. Connection annotations are propagated to the current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # and all future master transactions on the annotated connection.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # See the annotate_transaction ACL for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # For example, the following configuration avoids rewriting URLs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # of transactions bumped by SslBump:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # First, mark bumped connections:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl markBumped annotate_client bumped=true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ssl_bump peek acl1
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ssl_bump stare acl2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ssl_bump bump acl3 markBumped
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # ssl_bump splice all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # Second, do not send marked transactions to the redirector:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # acl markedBumped note bumped true
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # url_rewrite_access deny markedBumped
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# #
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # Note that the following would not have worked because acl3 alone
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # # does not determine whether the connection is going to be bumped:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # url_rewrite_access deny acl3 # Wrong!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span> # acl aclname adaptation_service service ...
# # Matches the name of any icap_service, ecap_service,
# # adaptation_service_set, or adaptation_service_chain that Squid
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1145,6 +1285,15 @@ logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
</span> # # acl hasWhatMyLoggingDaemonNeeds has request
# # acl hasWhatMyLoggingDaemonNeeds has response
#
<span style='display:block; white-space:pre;background:#e0ffe0;'>+#acl aclname at_step step
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # match against the current request processing step [fast]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # Valid steps are:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # GeneratingCONNECT: Generating HTTP CONNECT request headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # The following ssl_bump processing steps are recognized:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SslBump1: After getting TCP-level and HTTP CONNECT info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SslBump2: After getting SSL Client Hello info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # SslBump3: After getting SSL Server Hello info.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span> # acl aclname ssl_error errorname
# # match against SSL certificate validation error [fast]
# #
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1175,17 +1324,6 @@ logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
</span> # # The SHA1 digest algorithm is the default and is currently
# # the only algorithm supported (-sha1).
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# acl aclname at_step step
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # match against the current step during ssl_bump evaluation [fast]
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # Never matches and should not be used outside the ssl_bump context.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# #
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # At each SslBump step, Squid evaluates ssl_bump directives to find
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # the next bumping action (e.g., peek or splice). Valid SslBump step
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # values and the corresponding ssl_bump evaluation moments are:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # SslBump1: After getting TCP-level and HTTP CONNECT info.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # SslBump2: After getting SSL Client Hello info.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# # SslBump3: After getting SSL Server Hello info.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-#
</span> # acl aclname ssl::server_name [option] .foo.com ...
# # matches server name obtained from various sources [fast]
# #
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1286,7 +1424,7 @@ logformat squid_ua %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
</span> # acl javascript rep_mime_type -i ^application/x-javascript$
#
#Default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# ACLs all, manager, localhost, and to_localhost are predefined.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ACLs all, manager, localhost, to_localhost, and CONNECT are predefined.
</span> #
#
# Recommended minimum configuration:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1312,7 +1450,6 @@ acl Safe_ports port 280 # http-mgmt
</span> acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
<span style='display:block; white-space:pre;background:#ffe0e0;'>-acl CONNECT method CONNECT
</span>
# TAG: proxy_protocol_access
# Determine which client proxies can be trusted to provide correct
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1739,6 +1876,46 @@ icp_access deny all
</span> #Default:
# Respond with an error message to unidentifiable traffic
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: auth_schemes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this directive to customize authentication schemes presence and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# order in Squid's Unauthorized and Authentication Required responses.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_schemes scheme1,scheme2,... [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# where schemeN is the name of one of the authentication schemes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# configured using auth_param directives. At least one scheme name is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# required. Multiple scheme names are separated by commas. Either
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# avoid whitespace or quote the entire schemes list.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A special "ALL" scheme name expands to all auth_param-configured
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# schemes in their configuration order. This directive cannot be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to configure Squid to offer no authentication schemes at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The first matching auth_schemes rule determines the schemes order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for the current Authentication Required transaction. Note that the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# future response is not yet available during auth_schemes evaluation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If this directive is not used or none of its rules match, then Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# responds with all configured authentication schemes in the order of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_param directives in the configuration file.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive does not determine when authentication is used or
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# how each authentication scheme authenticates clients.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following example sends basic and negotiate authentication
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# schemes, in that order, when requesting authentication of HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests matching the isIE ACL (not shown) while sending all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_param schemes in their configuration order to other clients:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_schemes basic,negotiate isIE
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# auth_schemes ALL all # explicit default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive supports fast ACLs only.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: auth_param.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# use all auth_param schemes in their configuration order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # NETWORK OPTIONS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -1951,6 +2128,11 @@ icp_access deny all
</span> # Don't request client certificates
# immediately, but wait until acl processing
# requires a certificate (not yet implemented).
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# CONDITIONAL_AUTH
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Request a client certificate during the TLS
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# handshake, but ignore certificate absence in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the TLS client Hello. If the client does
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# supply a certificate, it is validated.
</span> # NO_SESSION_REUSE
# Don't allow for session reuse. Each connection
# will result in a new SSL session.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2002,9 +2184,19 @@ icp_access deny all
</span> #
# require-proxy-header
# Require PROXY protocol version 1 or 2 connections.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# The proxy_protocol_access is required to whitelist
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The proxy_protocol_access is required to permit
</span> # downstream proxies which can be trusted.
#
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# worker-queues
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Ask TCP stack to maintain a dedicated listening queue
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for each worker accepting requests at this port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requires TCP stack that supports the SO_REUSEPORT socket
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# option.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# SECURITY WARNING: Enabling worker-specific queues
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# allows any process running as Squid's effective user to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# easily accept requests destined to this port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span> # If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2175,22 +2367,22 @@ http_port @PROXY_SERVER@:3128
</span> #Default:
# none
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# TAG: clientside_mark
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mark_client_packet
</span> # Note: This option is only available if Squid is rebuilt with the
# Packet MARK (Linux)
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Allows you to apply a Netfilter mark value to packets being transmitted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to apply a Netfilter MARK value to packets being transmitted
</span> # on the client-side, based on an ACL.
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# clientside_mark mark-value [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark_client_packet mark-value [!]aclname ...
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Example where normal_service_net uses the mark value 0x00
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example where normal_service_net uses the MARK value 0x00
</span> # and good_service_net uses 0x20
#
# acl normal_service_net src 10.0.0.0/24
# acl good_service_net src 10.0.1.0/24
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# clientside_mark 0x00 normal_service_net
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# clientside_mark 0x20 good_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark_client_packet 0x00 normal_service_net
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark_client_packet 0x20 good_service_net
</span> #
# Note: This feature is incompatible with qos_flows. Any mark values set here
# will be overwritten by mark values in qos_flows.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -2200,6 +2392,41 @@ http_port @PROXY_SERVER@:3128
</span> #Default:
# none
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: mark_client_connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Packet MARK (Linux)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Allows you to apply a Netfilter CONNMARK value to a connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# on the client-side, based on an ACL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark_client_connection mark-value[/mask] [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mark-value and mask are unsigned integers (hex, octal, or decimal).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The mask may be used to preserve marking previously set by other agents
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (e.g., iptables).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A matching rule replaces the CONNMARK value. If a mask is also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# specified, then the masked bits of the original value are zeroed, and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the configured mark-value is ORed with that adjusted value.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For example, applying a mark-value 0xAB/0xF to 0x5F CONNMARK, results
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in a 0xFB marking (rather than a 0xAB or 0x5B).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive semantics is similar to iptables --set-mark rather than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --set-xmark functionality.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The directive does not interfere with qos_flows (which uses packet MARKs,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not CONNMARKs).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example where squid marks intercepted FTP connections:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl proto_ftp proto FTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# mark_client_connection 0x200/0xff00 proto_ftp
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # TAG: qos_flows
# Allows you to select a TOS/DSCP value to mark outgoing
# connections to the client, based on where the reply was sourced.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3721,10 +3948,9 @@ maximum_object_size 64 MB
</span> #Default:
# No disk cache. Store cache ojects only in memory.
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span>
# Uncomment and adjust the following to add a disk cache directory.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-#cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+cache_dir ufs @PREFIX@/var/squid/cache 100 16 256
</span>
# TAG: store_dir_select_algorithm
# How Squid selects which cache_dir to use when the response
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3923,6 +4149,14 @@ cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span> # individual notes. There is currently no way to
# specify both value and notes separators when logging
# all notes with %note.
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# master_xaction The master transaction identifier is an unsigned
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# integer. These IDs are guaranteed to monotonically
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# increase within a single worker process lifetime, with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# higher values corresponding to transactions that were
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# accepted or initiated later. Due to current implementation
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# deficiencies, some IDs are skipped (i.e. never logged).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Concurrent workers and restarted workers use similar,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# overlapping sequences of master transaction IDs.
</span> #
# Connection related format codes:
#
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3933,7 +4167,7 @@ cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span> # >la Local IP address the client connected to
# >lp Local port number the client connected to
# >qos Client connection TOS/DSCP value set by Squid
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# >nfmark Client connection netfilter mark set by Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# >nfmark Client connection netfilter packet MARK set by Squid
</span> #
# la Local listening IP address the client connection was connected to.
# lp Local listening port number the client connection was connected to.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -3944,7 +4178,7 @@ cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span> # <la Local IP address of the last server or peer connection
# <lp Local port number of the last server or peer connection
# <qos Server connection TOS/DSCP value set by Squid
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# <nfmark Server connection netfilter mark set by Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# <nfmark Server connection netfilter packet MARK set by Squid
</span> #
# >handshake Raw client handshake
# Initial client bytes received by Squid on a newly
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4176,6 +4410,34 @@ cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span> # not available. Consider encoding the logged
# value because Issuer often has spaces.
#
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# ssl::<cert
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The received server x509 certificate in PEM
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# format, including BEGIN and END lines (or a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# dash ('-') if the certificate is unavailable).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Large certificates will exceed the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# current 8KB access.log record limit, resulting
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in truncated records. Such truncation usually
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happens in the middle of a record field. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# limit applies to all access logging modules.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The logged certificate may have failed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# validation and may not be trusted by Squid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This field does not include any intermediate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificates that may have been received from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the server or fetched during certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# validation process.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Currently, Squid only collects server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# certificates during step3 of SslBump
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# processing; connections that were not subject
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# to ssl_bump rules or that did not match a peek
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or stare rule at step2 will not have the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server certificate information.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This field is using pass-through URL encoding
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span> # ssl::<cert_errors
# The list of certificate validation errors
# detected by Squid (including OpenSSL and
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4246,6 +4508,34 @@ cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span> # service name in curly braces to record response time(s) specific
# to that service. For example: %{my_service}adapt::sum_trs
#
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# Format codes related to the PROXY protocol:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# proxy_protocol::>h PROXY protocol header, including optional TLVs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Supports the same field and element reporting/extraction logic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# as %http::>h. For configuration and reporting purposes, Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maps each PROXY TLV to an HTTP header field: the TLV type
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (configured as a decimal integer) is the field name, and the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TLV value is the field value. All TLVs of "LOCAL" connections
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (in PROXY protocol terminology) are currently skipped/ignored.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid also maps the following standard PROXY protocol header
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# blocks to pseudo HTTP headers (their names use PROXY
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminology and start with a colon, following HTTP tradition
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for pseudo headers): :command, :version, :src_addr, :dst_addr,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# :src_port, and :dst_port.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Without optional parameters, this logformat code logs
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# pseudo headers and TLVs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This format code uses pass-through URL encoding by default.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # relay custom PROXY TLV #224 to adaptation services
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# adaptation_meta Client-Foo "%proxy_protocol::>h{224}"
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: %http::>h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span> # The default formats available (which do not need re-defining) are:
#
#logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4352,8 +4642,7 @@ cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span> # Default:
# access_log daemon:@PREFIX@/var/squid/logs/access.log squid
#Default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-access_log daemon:@PREFIX@/var/squid/logs/access.log squid
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-#access_log daemon:@PREFIX@/var/squid/logs/access.log squid_ua
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# access_log daemon:@PREFIX@/var/squid/logs/access.log squid
</span>
# TAG: icap_log
# ICAP log files record ICAP transaction summaries, one line per
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4664,7 +4953,6 @@ buffered_logs on
</span> #Default:
# Use the directory from where Squid was started.
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-cache_dir ufs @PREFIX@/var/squid/cache 256 16 256
</span>
# Leave coredumps in the first cache dir
coredump_dir @PREFIX@/var/squid/cache
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4816,71 +5104,81 @@ coredump_dir @PREFIX@/var/squid/cache
</span> # -----------------------------------------------------------------------------
# TAG: url_rewrite_program
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Specify the location of the executable URL rewriter to use.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# Since they can perform almost any function there isn't one included.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The name and command line parameters of an admin-provided executable
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for redirecting clients or adjusting/replacing client request URLs.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# For each requested URL, the rewriter will receive on line with the format
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This helper is consulted after the received request is cleared by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_access and adapted using eICAP/ICAP services (if any). If the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# helper does not redirect the client, Squid checks adapted_http_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and may consult the cache or forward the request to the next hop.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# [channel-ID <SP>] URL [<SP> extras]<NL>
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# See url_rewrite_extras on how to send "extras" with optional values to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# the helper.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# After processing the request the helper must reply using the following format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# For each request, the helper gets one line in the following format:
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# [channel-ID <SP>] result [<SP> kv-pairs]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID <SP>] request-URL [<SP> extras] <NL>
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# The result code can be:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use url_rewrite_extras to configure what Squid sends as 'extras'.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# OK status=30N url="..."
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# Redirect the URL to the one supplied in 'url='.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# 'status=' is optional and contains the status code to send
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# the client in Squids HTTP response. It must be one of the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# HTTP redirect status codes: 301, 302, 303, 307, 308.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# When no status is given Squid will use 302.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The helper must reply to each query using a single line:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# [channel-ID <SP>] result [<SP> kv-pairs] <NL>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The result section must match exactly one of the following outcomes:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# OK [status=30N] url="..."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Redirect the client to a URL supplied in the 'url' parameter.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Optional 'status' specifies the status code to send to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client in Squid's HTTP redirect response. It must be one of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the standard HTTP redirect status codes: 301, 302, 303, 307,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# or 308. When no specific status is requested, Squid uses 302.
</span> #
# OK rewrite-url="..."
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Rewrite the URL to the one supplied in 'rewrite-url='.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# The new URL is fetched directly by Squid and returned to
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# the client as the response to its request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Replace the current request URL with the one supplied in the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'rewrite-url' parameter. Squid fetches the resource specified
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the new URL and forwards the received response (or its
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cached copy) to the client.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# WARNING: Avoid rewriting URLs! When possible, redirect the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client using an "OK url=..." helper response instead.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Rewriting URLs may create inconsistent requests and/or break
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# synchronization between internal client and origin server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# states, especially when URLs or other message parts contain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# snippets of that state. For example, Squid does not adjust
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Location headers and embedded URLs after the helper rewrites
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the request URL.
</span> #
# OK
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# When neither of url= and rewrite-url= are sent Squid does
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# not change the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keep the client request intact.
</span> #
# ERR
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Do not change the URL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Keep the client request intact.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# BH
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# An internal error occurred in the helper, preventing
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# a result being identified. The 'message=' key name is
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# reserved for delivering a log message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# BH [message="..."]
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A helper problem that should be reported to the Squid admin
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# via a level-1 cache.log message. The 'message' parameter is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reserved for specifying the log message.
</span> #
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# In addition to the kv-pairs mentioned above, Squid also understands
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the following optional kv-pairs in URL rewriter responses:
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# In addition to the above kv-pairs Squid also understands the following
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# optional kv-pairs received from URL rewriters:
</span> # clt_conn_tag=TAG
# Associates a TAG with the client TCP connection.
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# The TAG is treated as a regular annotation but persists across
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# future requests on the client connection rather than just the
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# current request. A helper may update the TAG during subsequent
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# requests be returning a new kv-pair.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# When using the concurrency= option the protocol is changed by
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# introducing a query channel tag in front of the request/response.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# The query channel tag is a number between 0 and concurrency-1.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# This value must be echoed back unchanged to Squid as the first part
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# of the response relating to its request.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The clt_conn_tag=TAG pair is treated as a regular transaction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# annotation for the current request and also annotates future
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests on the same client connection. A helper may update
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the TAG during subsequent requests by returning a new kv-pair.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# WARNING: URL re-writing ability should be avoided whenever possible.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# Use the URL redirect form of response instead.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Re-write creates a difference in the state held by the client
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# and server. Possibly causing confusion when the server response
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# contains snippets of its view state. Embeded URLs, response
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# and content Location headers, etc. are not re-written by this
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# interface.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Helper messages contain the channel-ID part if and only if the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# url_rewrite_children directive specifies positive concurrency. As a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# channel-ID value, Squid sends a number between 0 and concurrency-1.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The helper must echo back the received channel-ID in its response.
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# By default, a URL rewriter is not used.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# By default, Squid does not use a URL rewriter.
</span> #Default:
# none
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -5827,11 +6125,8 @@ acl apple-appservices-and-akamai-subnets dst \
</span> 17.250.64.0/18 \
17.248.192.0/19
<span style='display:block; white-space:pre;background:#ffe0e0;'>-request_header_access User-Agent allow apple-enterprise-network-domains
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-request_header_access User-Agent allow apple-appservices-and-akamai-subnets
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span> request_header_access User-Agent deny all
<span style='display:block; white-space:pre;background:#ffe0e0;'>-request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Safari/605.1.15
</span>
# TAG: reply_header_access
# Usage: reply_header_access header_name allow|deny [!]aclname ...
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -6033,22 +6328,59 @@ request_header_replace User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4
</span> #Default:
# collapsed_forwarding off
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# TAG: collapsed_forwarding_shared_entries_limit (number of entries)
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# This limits the size of a table used for sharing information
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# about collapsible entries among SMP workers. Limiting sharing
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# too much results in cache content duplication and missed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# collapsing opportunities. Using excessively large values
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# wastes shared memory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: collapsed_forwarding_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this directive to restrict collapsed forwarding to a subset of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# eligible requests. The directive is checked for regular HTTP
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# requests, internal revalidation requests, and HTCP/ICP requests.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# collapsed_forwarding_access allow|deny [!]aclname ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive cannot force collapsing. It has no effect on
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# collapsing unless collapsed_forwarding is 'on', and all other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# collapsing preconditions are satisfied.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * A denied request will not collapse, and future transactions will
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# not collapse on it (even if they are allowed to collapse).
</span> #
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# The limit should be significantly larger then the number of
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# concurrent collapsible entries one wants to share. For a cache
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# that handles less than 5000 concurrent requests, the default
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * An allowed request may collapse, or future transactions may
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# collapse on it (provided they are allowed to collapse).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive is evaluated before receiving HTTP response headers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and without access to Squid-to-peer connection (if any).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Only fast ACLs are supported.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also: collapsed_forwarding.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Requests may be collapsed if collapsed_forwarding is on.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: shared_transient_entries_limit (number of entries)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive limits the size of a table used for sharing current
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction information among SMP workers. A table entry stores meta
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# information about a single cache entry being delivered to Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client(s) by one or more SMP workers. A single table entry consumes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# less than 128 shared memory bytes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The limit should be significantly larger than the number of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# concurrent non-collapsed cachable responses leaving Squid. For a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache that handles less than 5000 concurrent requests, the default
</span> # setting of 16384 should be plenty.
#
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# If the limit is set to zero, it disables sharing of collapsed
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# forwarding between SMP workers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Using excessively large values wastes shared memory. Limiting the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# table size too much results in hash collisions, leading to lower hit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ratio and missed SMP request collapsing opportunities: Transactions
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# left without a table entry cannot cache their responses and are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# invisible to other concurrent requests for the same resource.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A zero limit is allowed but unsupported. A positive small limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lowers hit ratio, but zero limit disables a lot of essential
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# synchronization among SMP workers, leading to HTTP violations (e.g.,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# stale hit responses). It also disables shared collapsed forwarding:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# A worker becomes unable to collapse its requests on transactions in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# other workers, resulting in more trips to the origin server and more
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache thrashing.
</span> #Default:
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# collapsed_forwarding_shared_entries_limit 16384
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# shared_transient_entries_limit 16384
</span>
# TIMEOUTS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -6355,6 +6687,9 @@ visible_hostname localhost
</span> # need an identification token to allow control targeting. Because
# a farm of surrogates may all perform the same tasks, they may share
# an identification token.
<span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When the surrogate is a reverse-proxy, this ID is also
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# used as cdn-id for CDN-Loop detection (RFC 8586).
</span> #Default:
# visible_hostname is used if no specific ID is set.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -6654,6 +6989,55 @@ visible_hostname localhost
</span> #Default:
# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: response_delay_pool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This option configures client response bandwidth limits using the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# following format:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response_delay_pool name [option=value] ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# name the response delay pool name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# available options:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual-restore The speed limit of an individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bucket(bytes/s). To be used in conjunction
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# with 'individual-maximum'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# individual-maximum The maximum number of bytes which can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be placed into the individual bucket. To be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in conjunction with 'individual-restore'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aggregate-restore The speed limit for the aggregate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# bucket(bytes/s). To be used in conjunction with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 'aggregate-maximum'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# aggregate-maximum The maximum number of bytes which can
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# be placed into the aggregate bucket. To be used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# in conjunction with 'aggregate-restore'.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# initial-bucket-level The initial bucket size as a percentage
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of individual-maximum.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Individual and(or) aggregate bucket options may not be specified,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# meaning no individual and(or) aggregate speed limitation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See also response_delay_pool_access and delay_parameters for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# terminology details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# none
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: response_delay_pool_access
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Determines whether a specific named response delay pool is used
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# for the transaction. The syntax for this directive is:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response_delay_pool_access pool_name allow|deny acl_name
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# All response_delay_pool_access options are checked in the order
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# they appear in this configuration file. The first rule with a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# matching ACL wins. If (and only if) an "allow" rule won, Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# assigns the response to the corresponding named delay pool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Deny use of the pool, unless allow rules exist in squid.conf for the pool.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # WCCPv1 AND WCCPv2 CONFIGURATION OPTIONS
# -----------------------------------------------------------------------------
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -6803,7 +7187,7 @@ visible_hostname localhost
</span> # wccp2_weight 10000
# TAG: wccp_address
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Use this option if you require WCCPv2 to use a specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option if you require WCCP(v1) to use a specific
</span> # interface address.
#
# The default behavior is to not bind to any specific address.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -6811,7 +7195,7 @@ visible_hostname localhost
</span> # Address selected by the operating system.
# TAG: wccp2_address
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# Use this option if you require WCCP to use a specific
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Use this option if you require WCCPv2 to use a specific
</span> # interface address.
#
# The default behavior is to not bind to any specific address.
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -7376,6 +7760,7 @@ log_icp_queries off
</span> #
# URL FORMAT TAGS:
# %a - username (if available. Password NOT included)
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# %A - Local listening IP address the client connection was connected to
</span> # %B - FTP path URL
# %e - Error number
# %E - Error description
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -7512,6 +7897,10 @@ always_direct allow ftp
</span> always_direct allow apple-appservices-and-akamai-subnets
always_direct allow apple-enterprise-network-domains
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# Do not send Zoom https://*.zoom.us through Privoxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+acl zoom-us-domain dstdomain .zoom.us
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+always_direct allow CONNECT zoom-us-domain
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # Do not send AWS requests through Privoxy
acl aws-domains dstdomain \
.aws.amazon.com \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -8462,21 +8851,6 @@ hosts_file @PREFIX@/etc/@NAME@/@NAME@-hosts
</span> #Default:
# ignore_unknown_nameservers on
<span style='display:block; white-space:pre;background:#ffe0e0;'>-# TAG: dns_v4_first
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# With the IPv6 Internet being as fast or faster than IPv4 Internet
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# for most networks Squid prefers to contact websites over IPv6.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-#
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# This option reverses the order of preference to make Squid contact
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# dual-stack websites over IPv4 first. Squid will still perform both
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# IPv6 and IPv4 DNS lookups before connecting.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-#
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# WARNING:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# This option will restrict the situations under which IPv6
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# connectivity is used (and tested). Hiding network problems
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# which would otherwise be detected and warned about.
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-#Default:
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-# dns_v4_first off
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>-
</span> # TAG: ipcache_size (number of entries)
# Maximum number of DNS IP cache entries.
#Default:
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -8818,6 +9192,9 @@ pipeline_prefetch 3
</span> # windows_ipaddrchangemonitor on
# TAG: eui_lookup
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# Note: This option is only available if Squid is rebuilt with the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# --enable-eui
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span> # Whether to lookup the EUI or MAC address of a connected client.
#Default:
# eui_lookup on
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -8860,6 +9237,99 @@ eui_lookup off
</span> #Default:
# Deny, unless rules exist in squid.conf.
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: http_upgrade_request_protocols
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Controls client-initiated and server-confirmed switching from HTTP to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# another protocol (or to several protocols) using HTTP Upgrade mechanism
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# defined in RFC 7230 Section 6.7. Squid itself does not understand the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocols being upgraded to and participates in the upgraded
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# communication only as a dumb TCP proxy. Admins should not allow
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# upgrading to protocols that require a more meaningful proxy
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# participation.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Usage: http_upgrade_request_protocols <protocol> allow|deny [!]acl ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The required "protocol" parameter is either an all-caps word OTHER or an
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# explicit protocol name (e.g. "WebSocket") optionally followed by a slash
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and a version token (e.g. "HTTP/3"). Explicit protocol names and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# versions are case sensitive.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# When an HTTP client sends an Upgrade request header, Squid iterates over
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the client-offered protocols and, for each protocol P (with an optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# version V), evaluates the first non-empty set of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols rules (if any) from the following list:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * All rules with an explicit protocol name equal to P.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# * All rules that use OTHER instead of a protocol name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# In other words, rules using OTHER are considered for protocol P if and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# only if there are no rules mentioning P by name.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If both of the above sets are empty, then Squid removes protocol P from
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the Upgrade offer.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If the client sent a versioned protocol offer P/X, then explicit rules
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# referring to the same-name but different-version protocol P/Y are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# declared inapplicable. Inapplicable rules are not evaluated (i.e. are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# ignored). However, inapplicable rules still belong to the first set of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# rules for P.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Within the applicable rule subset, individual rules are evaluated in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# their configuration order. If all ACLs of an applicable "allow" rule
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# match, then the protocol offered by the client is forwarded to the next
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# hop as is. If all ACLs of an applicable "deny" rule match, then the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offer is dropped. If no applicable rules have matching ACLs, then the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offer is also dropped. The first matching rule also ends rules
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# evaluation for the offered protocol.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If all client-offered protocols are removed, then Squid forwards the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# client request without the Upgrade header. Squid never sends an empty
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Upgrade request header.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# An Upgrade request header with a value violating HTTP syntax is dropped
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and ignored without an attempt to use extractable individual protocol
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# offers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Upon receiving an HTTP 101 (Switching Protocols) control message, Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checks that the server listed at least one protocol name and sent a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Connection:upgrade response header. Squid does not understand individual
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# protocol naming and versioning concepts enough to implement stricter
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checks, but an admin can restrict HTTP 101 (Switching Protocols)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# responses further using http_reply_access. Responses denied by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_reply_access rules and responses flagged by the internal Upgrade
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# checks result in HTTP 502 (Bad Gateway) ERR_INVALID_RESP errors and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Squid-to-server connection closures.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# If Squid sends an Upgrade request header, and the next hop (e.g., the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# origin server) responds with an acceptable HTTP 101 (Switching
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Protocols), then Squid forwards that message to the client and becomes
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# a TCP tunnel.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The presence of an Upgrade request header alone does not preclude cache
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# lookups. In other words, an Upgrade request might be satisfied from the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# cache, using regular HTTP caching rules.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This clause only supports fast acl types.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each of the following groups of configuration lines represents a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# separate configuration example:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # never upgrade to protocol Foo; all others are OK
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols Foo deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols OTHER allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # only allow upgrades to protocol Bar (except for its first version)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols Bar/1 deny all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols Bar allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols OTHER deny all # this rule is optional
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# # only allow upgrades to protocol Baz, and only if Baz is the only offer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# acl UpgradeHeaderHasMultipleOffers ...
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols Baz deny UpgradeHeaderHasMultipleOffers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# http_upgrade_request_protocols Baz allow all
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Upgrade header dropped, effectively blocking an upgrade attempt.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span> # TAG: server_pconn_for_nonretriable
# This option provides fine-grained control over persistent connection
# reuse when forwarding HTTP requests that Squid cannot retry. It is useful
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -8894,3 +9364,85 @@ eui_lookup off
</span> #Default:
# Open new connections for forwarding requests Squid cannot retry safely.
<span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: happy_eyeballs_connect_timeout (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This Happy Eyeballs (RFC 8305) tuning directive specifies the minimum
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# delay between opening a primary to-server connection and opening a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# spare to-server connection for the same master transaction. This delay
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# is similar to the Connection Attempt Delay in RFC 8305, but it is only
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# applied to the first spare connection attempt. Subsequent spare
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection attempts use happy_eyeballs_connect_gap, and primary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection attempts are not artificially delayed at all.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Terminology: The "primary" and "spare" designations are determined by
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the order of DNS answers received by Squid: If Squid DNS AAAA query
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# was answered first, then primary connections are connections to IPv6
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# peer addresses (while spare connections use IPv4 addresses).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Similarly, if Squid DNS A query was answered first, then primary
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections are connections to IPv4 peer addresses (while spare
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connections use IPv6 addresses).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Shorter happy_eyeballs_connect_timeout values reduce master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction response time, potentially improving user-perceived
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# response times (i.e., making user eyeballs happier). Longer delays
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# reduce both concurrent connection level and server bombardment with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# connection requests, potentially improving overall Squid performance
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# and reducing the chance of being blocked by servers for opening too
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# many unused connections.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# RFC 8305 prohibits happy_eyeballs_connect_timeout values smaller than
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# 10 (milliseconds) to "avoid congestion collapse in the presence of
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# high packet-loss rates".
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following Happy Eyeballs directives place additional connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# opening restrictions: happy_eyeballs_connect_gap and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happy_eyeballs_connect_limit.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happy_eyeballs_connect_timeout 250
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: happy_eyeballs_connect_gap (msec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This Happy Eyeballs (RFC 8305) tuning directive specifies the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# minimum delay between opening spare to-server connections (to any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# server; i.e. across all concurrent master transactions in a Squid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# instance). Each SMP worker currently multiplies the configured gap
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# by the total number of workers so that the combined spare connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# opening rate of a Squid instance obeys the configured limit. The
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# workers do not coordinate connection openings yet; a micro burst
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# of spare connection openings may violate the configured gap.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive has similar trade-offs as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happy_eyeballs_connect_timeout, but its focus is on limiting traffic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# amplification effects for Squid as a whole, while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happy_eyeballs_connect_timeout works on an individual master
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# transaction level.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following Happy Eyeballs directives place additional connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# opening restrictions: happy_eyeballs_connect_timeout and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happy_eyeballs_connect_limit. See the former for related terminology.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no artificial delays between spare attempts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# TAG: happy_eyeballs_connect_limit
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This Happy Eyeballs (RFC 8305) tuning directive specifies the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# maximum number of spare to-server connections (to any server; i.e.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# across all concurrent master transactions in a Squid instance).
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Each SMP worker gets an equal share of the total limit. However,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# the workers do not share the actual connection counts yet, so one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (busier) worker cannot "borrow" spare connection slots from another
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# (less loaded) worker.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# Setting this limit to zero disables concurrent use of primary and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# spare TCP connections: Spare connection attempts are made only after
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# all primary attempts fail. However, Squid would still use the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# DNS-related optimizations of the Happy Eyeballs approach.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# This directive has similar trade-offs as happy_eyeballs_connect_gap,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# but its focus is on limiting Squid overheads, while
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happy_eyeballs_connect_gap focuses on the origin server and peer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# overheads.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# The following Happy Eyeballs directives place additional connection
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# opening restrictions: happy_eyeballs_connect_timeout and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# happy_eyeballs_connect_gap. See the former for related terminology.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+#Default:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+# no artificial limit on the number of concurrent spare attempts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span></pre><pre style='margin:0'>
</pre>